On occasion, you may have need to generate new certificates for an ESXi host, typically if there has been a change of host name or if the original certificates have been lost/deleted. Luckily, the process to force ESXi to generate new certificates is straight forward.
Start by logging into the ESXi CLI shell as a root user, then change to the /etc/vmware/ssl directory, which will have contents similar to those shown below:
/etc/vmware/ssl # ls -la drwxr-xr-x 1 root root 512 Dec 20 19:52 . -r--r--r-T 1 root root 0 Sep 6 2013 .#rui.crt -r--r--r-T 1 root root 0 Sep 6 2013 .#rui.key drwxr-xr-x 1 root root 512 Dec 20 20:21 .. -rw-r--r-- 1 root root 1428 Dec 20 19:52 rui.crt -r-------- 1 root root 1679 Dec 20 19:52 rui.key
The two files we are interested in are rui.crt and rui.key. Before going any further it is advisable to take a backup/rename the original certificates. To do so, run:
/etc/vmware/ssl # mv rui.crt orig.rui.crt /etc/vmware/ssl # mv rui.key orig.rui.key
List the directory contents again to confirm that the files have been renamed:
/etc/vmware/ssl # ls -la drwxr-xr-x 1 root root 512 Dec 20 20:31 . -r--r--r-T 1 root root 0 Sep 6 2013 .#rui.crt -r--r--r-T 1 root root 0 Sep 6 2013 .#rui.key drwxr-xr-x 1 root root 512 Dec 20 20:32 .. -rw-r--r-- 1 root root 1428 Dec 20 19:52 orig.rui.crt -r-------- 1 root root 1679 Dec 20 19:52 orig.rui.key
To generate the new certificates, run:
~ # /sbin/generate-certificates
Do another directory listing, the new certificates should be visible:
/etc/vmware/ssl # ls -la drwxr-xr-x 1 root root 512 Dec 20 20:38 . -r--r--r-T 1 root root 0 Sep 6 2013 .#rui.crt -r--r--r-T 1 root root 0 Sep 6 2013 .#rui.key drwxr-xr-x 1 root root 512 Dec 20 20:38 .. -rw-r--r-- 1 root root 1428 Dec 20 19:52 orig.rui.crt -r-------- 1 root root 1679 Dec 20 19:52 orig.rui.key -rw-r--r-- 1 root root 1419 Dec 20 20:38 rui.crt -r-------- 1 root root 1679 Dec 20 20:38 rui.key
For the new certificates to be used, either restart the host or restart the hosts management agents, as described in this post.